Understanding Message Security in the Web Server

The Web Server offers integrated support for the WS-Security standard
in the server-side container. This functionality is integrated with Web Services
security and enforced by the container of the Web Server on behalf of applications.
Web Server can protect any web service application without requiring changes
to the implementation of the application. The Web Server achieves this effect
by providing facilities to bind SOAP layer message security providers and
message protection policies to container and to applications deployed in container.

Assigning Message Security Roles

In the Web Server, the system administrator and application deployer roles are expected to take primary responsibility
for configuring message security. In some situations, the application developer
also contribute, although in the typical case either of the roles might secure
an existing application without changing its implementation and therefore
without involving the developer. The responsibilities of the various roles
are defined in the following sections.

System Administrator Tasks

The system administrator is responsible for the following tasks:

Configuring message security providers on the Web Server

Managing user databases

Managing the keystore and truststore files

Deploying the samples program fromwsdl-soap12,
which demonstrates the message layer web services security

A system administrator uses the Admin Console to manage server security
settings. Web Server stores certificates and private keys in an NSS database,
the administrator can manage them using certutil. For
an overview of message security tasks, see Configuring the Web Server for Message Security.

Application Deployer Tasks

The application deployer is responsible for the following tasks:

Specifying at application assembly any required application-specific
message protection policies if such policies have not already been specified
by upstream roles (the developer or assembler).

The application developer can setup message security but is not responsible
for doing so. The system administrator can set the message security so that
all Web Services are secured. The application deployer can set the message
security when the provider or protection policy bound to the application must
be different from that bound to the container.

Application Developer Tasks

The application developer or assembler is responsible for the following
tasks:

Determining whether an application-specific message protection
policy is required by the application. If the policy is required, the developer
or assembler works with the application deployer and ensures that the required
policy is specified during application assembly.

Username Tokens

The Web Server uses username tokens in the SOAP messages to establish
the authentication identity of the message sender. The recipient of a message
containing a Username token within an embedded password validates that the
message sender is authorized to act as the user (identified in the token)
by confirming that the sender knows the users secret password.

When using a Username token, a valid user database must be configured
on the Web Server.

Digital Signatures

The Web Server uses XML Digital signatures to bind an authentication
identity to the message content. Clients use digital signatures to establish
their caller identity, analogous to basic authentication or SSL client certificate
authentication. Digital signatures are verified by the message receiver to
authenticate the source of the message content, which might be different from
the sender of the message. When using digital signatures, valid keystore
and truststore files must be configured on the Web Server.

Encryption

The purpose of encryption is to modify the data such that it can only
be understood by its intended audience. This modification is accomplished
by substituting an encrypted element for the original content. When predicated
on public key cryptography, encryption establishes the identity of the parties
who can read the message.

Message Protection Policies

Message protection policies are defined for request message processing
and response message processing. These policies are expressed in terms of
requirements for source or recipient authentication. A source authentication
policy requires that the identity of the entity that sent a message or that
defined the content of a message be established in the message so that the
message receiver can authenticate it. A recipient authentication policy represents
a requirement that the message be sent such that the identity of the entities
that can receive the message can be established by the message sender. The
providers apply specific message security mechanisms so that the message protection
policies are in SOAP Web Services messages.

Request and response message protection policies are defined when a
provider is configured in a container. You can also configure application-specific
message protection policies at the granularity of the web service port or
operation within the Sun deployment descriptors of the application or application
client. Where message protection policies are defined, the request and response
message protection policies of the client must match the request and response
message protection policies of the server.